feat(approvals) RejectConfig for request_permissions (#14118)

## Summary We need to support allowing request_permissions calls when using `Reject` policy <img width="1133" height="588" alt="Screenshot 2026-03-09 at 12 06 40 PM" src="https://github.com/user-attachments/assets/a8df987f-c225-4866-b8ab-5590960daec5" /> Note that this is a backwards-incompatible change for Reject policy. I'm not sure if we need to add a default based on our current use/setup ## Testing - [x] Added tests - [x] Tested locally
2026-05-04 05:11:37 +03:00 · 2026-03-09 18:16:54 -07:00
parent c1defcc98c
commit 6da84efed8
28 changed files with 285 additions and 1 deletions
--- a/codex-rs/protocol/src/protocol.rs
+++ b/codex-rs/protocol/src/protocol.rs
@@ -526,6 +526,8 @@ pub struct RejectConfig {
    pub sandbox_approval: bool,
    /// Reject prompts triggered by execpolicy `prompt` rules.
    pub rules: bool,
+    /// Reject approval prompts related to built-in permission requests.
+    pub request_permissions: bool,
    /// Reject MCP elicitation prompts.
    pub mcp_elicitations: bool,
 }
@@ -539,6 +541,10 @@ impl RejectConfig {
        self.rules
    }

+    pub const fn rejects_request_permissions(self) -> bool {
+        self.request_permissions
+    }
+
    pub const fn rejects_mcp_elicitations(self) -> bool {
        self.mcp_elicitations
    }
@@ -3298,6 +3304,7 @@ mod tests {
            RejectConfig {
                sandbox_approval: false,
                rules: false,
+                request_permissions: false,
                mcp_elicitations: true,
            }
            .rejects_mcp_elicitations()
@@ -3306,12 +3313,35 @@ mod tests {
            !RejectConfig {
                sandbox_approval: false,
                rules: false,
+                request_permissions: false,
                mcp_elicitations: false,
            }
            .rejects_mcp_elicitations()
        );
    }

+    #[test]
+    fn reject_config_request_permissions_flag_is_field_driven() {
+        assert!(
+            RejectConfig {
+                sandbox_approval: false,
+                rules: false,
+                request_permissions: true,
+                mcp_elicitations: false,
+            }
+            .rejects_request_permissions()
+        );
+        assert!(
+            !RejectConfig {
+                sandbox_approval: false,
+                rules: false,
+                request_permissions: false,
+                mcp_elicitations: false,
+            }
+            .rejects_request_permissions()
+        );
+    }
+
    #[test]
    fn workspace_write_restricted_read_access_includes_effective_writable_roots() {
        let cwd = if cfg!(windows) {